Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openbao-helm/CHANGELOG.md
Tom Proctor e2711a2002
Prepare for 0.25.0 release (#916) 
* Prepare for 0.25.0 release
* Update CSI acceptance test assertion

Starting in 1.4.0, the CSI provider caches Vault tokens locally. The main thing
we want to check is that the Agent cache is being used so that it's doing the
renewal legwork for any leased secrets, so check for the renewal log message instead
because CSI won't auth over and over anymore.
2023-06-26 16:00:04 +01:00

26 KiB
Raw Permalink Blame History

Unreleased

0.25.0 (June 26, 2023)

Changes:

  • Latest Kubernetes version tested is now 1.27
  • server: Headless service ignores server.service.publishNotReadyAddresses setting and always sets it as true GH-902
  • vault updated to 1.14.0 GH-916
  • vault-csi-provider updated to 1.4.0 GH-916

Improvements:

  • CSI: Make nodeSelector and affinity configurable for CSI daemonset's pods GH-862
  • injector: Add ephemeralLimit and ephemeralRequest as options for configuring Agent's ephemeral storage resources GH-798
  • Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version GH-916

Bugs:

  • server: Set the default for prometheusRules.rules to an empty list GH-886

0.24.1 (April 17, 2023)

Bugs:

  • csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions GH-872

0.24.0 (April 6, 2023)

Changes:

  • Earliest Kubernetes version tested is now 1.22
  • vault updated to 1.13.1 GH-863
  • vault-k8s updated to 1.2.1 GH-868
  • vault-csi-provider updated to 1.3.0 GH-749

Features:

  • server: New extraPorts option for adding ports to the Vault server statefulset GH-841
  • server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset GH-831
  • injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe GH-852
  • csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals GH-749

0.23.0 (November 28th, 2022)

Changes:

  • vault updated to 1.12.1 GH-814
  • vault-k8s updated to 1.1.0 GH-814
  • vault-csi-provider updated to 1.2.1 GH-814

Features:

  • server: Add extraLabels for Vault server serviceAccount GH-806
  • server: Add server.service.active.enabled and server.service.standby.enabled options to selectively disable additional services GH-811
  • server: Add server.serviceAccount.serviceDiscovery.enabled option to selectively disable a Vault service discovery role and role binding GH-811
  • server: Add server.service.instanceSelector.enabled option to allow selecting pods outside the helm chart deployment GH-813

Bugs:

  • server: Quote .server.ha.clusterAddr value GH-810

0.22.1 (October 26th, 2022)

Changes:

  • vault updated to 1.12.0 GH-803
  • vault-k8s updated to 1.0.1 GH-803

0.22.0 (September 8th, 2022)

Features:

  • Add PrometheusOperator support for collecting Vault server metrics. GH-772

Changes:

  • vault-k8s to 1.0.0 GH-784
  • Test against Kubernetes 1.25 GH-784
  • vault updated to 1.11.3 GH-785

0.21.0 (August 10th, 2022)

CHANGES:

  • vault-k8s updated to 0.17.0. GH-771
  • vault-csi-provider updated to 1.2.0 GH-771
  • vault updated to 1.11.2 GH-771
  • Start testing against Kubernetes 1.24. GH-744
  • Deprecated injector.externalVaultAddr. Added global.externalVaultAddr, which applies to both the Injector and the CSI Provider. GH-745
  • CSI Provider pods now set the VAULT_ADDR environment variable to either the internal Vault service or the configured external address. GH-745

Features:

  • server: Add server.statefulSet.securityContext to override pod and container securityContext. GH-767
  • csi: Add csi.daemonSet.securityContext to override pod and container securityContext. GH-767
  • injector: Add injector.securityContext to override pod and container securityContext. GH-750 and GH-767
  • Add server.service.activeNodePort and server.service.standbyNodePort to specify the nodePort for active and standby services. GH-610
  • Support for setting annotations on the injector's serviceAccount GH-753

0.20.1 (May 25th, 2022)

CHANGES:

  • vault-k8s updated to 0.16.1 GH-739

Improvements:

  • Mutating webhook will no longer target the agent injector pod GH-736

Bugs:

  • vault service account is now created even if the server is set to disabled, as per before 0.20.0 GH-737

0.20.0 (May 16th, 2022)

CHANGES:

  • global.enabled now works as documented, that is, setting global.enabled to false will disable everything, with individual components able to be turned on individually GH-703
  • Default value of - used for injector and server to indicate that they follow global.enabled. GH-703
  • Vault default image to 1.10.3
  • CSI provider default image to 1.1.0
  • Vault K8s default image to 0.16.0
  • Earliest Kubernetes version tested is now 1.16
  • Helm 3.6+ now required

Features:

  • Support topologySpreadConstraints in server and injector. GH-652

Improvements:

  • CSI: Set extraLabels for daemonset, pods, and service account GH-690
  • Add namespace to injector-leader-elector role, rolebinding and secret GH-683
  • Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector GH-710
  • Make the Cluster Address (CLUSTER_ADDR) configurable GH-629
  • server: Make publishNotReadyAddresses configurable for services GH-694
  • server: Allow config to be defined as a YAML object in the values file GH-684
  • Maintain default MutatingWebhookConfiguration values from v1beta1 GH-692

0.19.0 (January 20th, 2022)

CHANGES:

  • Vault image default 1.9.2
  • Vault K8s image default 0.14.2

Features:

  • Added configurable podDisruptionBudget for injector GH-653
  • Make terminationGracePeriodSeconds configurable for server GH-659
  • Added configurable update strategy for injector GH-661
  • csi: ability to set priorityClassName for CSI daemonset pods GH-670

Improvements:

  • Set the namespace on the OpenShift Route GH-679
  • Add volumes and env vars to helm hook test pod GH-673
  • Make TLS configurable for OpenShift routes GH-686

0.18.0 (November 17th, 2021)

CHANGES:

  • Removed support for deploying a leader-elector container with the vault-k8s injector injector since vault-k8s now uses an internal mechanism to determine leadership GH-649
  • Vault image default 1.9.0
  • Vault K8s image default 0.14.1

Improvements:

  • Added templateConfig.staticSecretRenderInterval chart option for the injector GH-621

0.17.1 (October 25th, 2021)

Improvements:

  • Add option for Ingress PathType GH-634

0.17.0 (October 21st, 2021)

KNOWN ISSUES:

  • The chart will fail to deploy on Kubernetes 1.19+ with server.ingress.enabled=true because no pathType is set

CHANGES:

  • Vault image default 1.8.4
  • Vault K8s image default 0.14.0

Improvements:

  • Support Ingress stable networking API GH-590
  • Support setting the externalTrafficPolicy for LoadBalancer and NodePort service types GH-626
  • Support setting ingressClassName on server Ingress GH-630

Bugs:

  • Ensure kubeletRootDir volume path and mounts are the same when csi.daemonSet.kubeletRootDir is overridden GH-628

0.16.1 (September 29th, 2021)

CHANGES:

  • Vault image default 1.8.3
  • Vault K8s image default 0.13.1

0.16.0 (September 16th, 2021)

CHANGES:

  • Support for deploying a leader-elector container with the vault-k8s injector injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set useContainer=true.

Improvements:

  • Make CSI provider hostPaths configurable via csi.daemonSet.providersDir and csi.daemonSet.kubeletRootDir GH-603
  • Support vault-k8s internal leader election GH-568 GH-607

0.15.0 (August 23rd, 2021)

Improvements:

  • Add imagePullSecrets on server test GH-572
  • Add injector.webhookAnnotations chart option GH-584

0.14.0 (July 28th, 2021)

Features:

  • Added templateConfig.exitOnRetryFailure chart option for the injector GH-560

Improvements:

  • Support configuring pod tolerations, pod affinity, and node selectors as YAML GH-565
  • Set the default vault image to come from the hashicorp organization GH-567
  • Add support for running the acceptance tests against a local kind cluster GH-567
  • Add server.ingress.activeService to configure if the ingress should use the active service GH-570
  • Add server.route.activeService to configure if the route should use the active service GH-570
  • Support configuring global.imagePullSecrets from a string array GH-576

0.13.0 (June 17th, 2021)

Improvements:

  • Added a helm test for vault server GH-531
  • Added server.enterpriseLicense option GH-547
  • Added OpenShift overrides GH-549

Bugs:

  • Fix ui.serviceNodePort schema GH-537
  • Fix server.ha.disruptionBudget.maxUnavailable schema GH-535
  • Added webhook-certs volume mount to sidecar injector GH-545

0.12.0 (May 25th, 2021)

Features:

  • Pass additional arguments to vault-csi-provider using csi.extraArgs GH-526

Improvements:

  • Set chart kubeVersion and added chart-verifier tests GH-510
  • Added values json schema GH-513
  • Ability to set tolerations for CSI daemonset pods GH-521
  • UI target port is now configurable GH-437

Bugs:

  • CSI: global.imagePullSecrets are now also used for CSI daemonset GH-519

0.11.0 (April 14th, 2021)

Features:

  • Added server.enabled to explicitly skip installing a Vault server GH-486
  • Injector now supports enabling host network GH-471
  • Injector port is now configurable GH-489
  • Injector Vault Agent resource defaults are now configurable GH-493
  • Extra paths can now be added to the Vault ingress service GH-460
  • Log level and format can now be set directly using server.logFormat and server.logLevel GH-488

Improvements:

  • Added https name to injector service port GH-495

Bugs:

  • CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name GH-486

0.10.0 (March 25th, 2021)

Features:

Improvements:

  • objectSelector can now be set on the mutating admission webhook GH-456

0.9.1 (February 2nd, 2021)

Bugs:

  • Injector: fix labels for default anti-affinity rule GH-441, GH-442
  • Set VAULT_DEV_LISTEN_ADDRESS in dev mode GH-446

0.9.0 (January 5th, 2021)

Features:

  • Injector now supports configurable number of replicas GH-436
  • Injector now supports auto TLS for multiple replicas using leader elections GH-436

Improvements:

  • Dev mode now supports server.extraArgs GH-421
  • Dev mode root token is now configurable with server.dev.devRootToken GH-415
  • ClusterRoleBinding updated to v1 GH-395
  • MutatingWebhook updated to v1 GH-408
  • Injector service now supports injector.service.annotations 425
  • Injector now supports injector.extraLabels 428
  • Added allowPrivilegeEscalation: false to Vault and Injector containers 429
  • Network Policy now supports server.networkPolicy.egress 389

0.8.0 (October 20th, 2020)

Improvements:

  • Make server NetworkPolicy independent of OpenShift GH-381
  • Added configurables for all probe values GH-387
  • MountPath for audit and data storage is now configurable GH-393
  • Annotations can now be added to the Injector pods GH-394
  • The injector can now be configured with a failurePolicy GH-400
  • Added additional environment variables for rendering within Vault config GH-398
  • Service account for Vault K8s auth is automatically created when injector.externalVaultAddr is set GH-392

Bugs:

  • Fixed install output using Helm V2 command GH-378

0.7.0 (August 24th, 2020)

Features:

  • Added volumes and volumeMounts for mounting any type of volume GH-314.
  • Added configurable to enable prometheus telemetery exporter for Vault Agent Injector GH-372

Improvements:

  • Added defaultMode configurable to extraVolumesGH-321
  • Option to install and use PodSecurityPolicy's for vault server and injector GH-177
  • VAULT_API_ADDR is now configurable GH-290
  • Removed deprecated tolerate unready endpoint annotations GH-363
  • Add an option to set annotations on the StatefulSet GH-199
  • Make the vault server serviceAccount name a configuration option GH-367
  • Removed annotation striction from dev mode GH-371
  • Add an option to set annotations on PVCs GH-364
  • Added service configurables for UI GH-285

Bugs:

  • Fix python dependency in test image GH-337
  • Fix caBundle not being quoted causing validation issues with Helm 3 GH-352
  • Fix injector network policy being rendered when injector is not enabled GH-358

0.6.0 (June 3rd, 2020)

Features:

  • Added extraInitContainers to define init containers for the Vault cluster GH-258
  • Added postStart lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready GH-315
  • Beta: Added OpenShift support GH-319

Improvements:

  • Server configs can now be defined in YAML. Multi-line string configs are still compatible GH-213
  • Removed IPC_LOCK privileges since swap is disabled on containers [GH-198]
  • Use port names that map to vault.scheme [GH-223]
  • Allow both yaml and multi-line string annotations [GH-272]
  • Added configurable to set the Raft node name to hostname [GH-269]
  • Support setting priorityClassName on pods [GH-282]
  • Added support for ingress apiVersion networking.k8s.io/v1beta1 [GH-310]
  • Added configurable to change service type for the HA active service GH-317

Bugs:

  • Fixed default ingress path [GH-224]
  • Fixed annotations for HA standby/active services [GH-268]
  • Updated some value defaults to match their use in templates [GH-309]
  • Use active service on ingress when ha [GH-270]
  • Fixed bug where pull secrets weren't being used for injector image GH-298

0.5.0 (April 9th, 2020)

Features:

  • Added Raft support for HA mode [GH-228]

  • Now supports Vault Enterprise [GH-250]

  • Added K8s Service Registration for HA modes [GH-250]

  • Option to set AGENT_INJECT_VAULT_AUTH_PATH for the injector [GH-185]

  • Added environment variables for logging and revocation on Vault Agent Injector [GH-219]

  • Option to set environment variables for the injector deployment [GH-232]

  • Added affinity, tolerations, and nodeSelector options for the injector deployment [GH-234]

  • Made all annotations multi-line strings [GH-227]

0.4.0 (February 21st, 2020)

Improvements:

  • Allow process namespace sharing between Vault and sidecar containers [GH-174]
  • Added configurable to change updateStrategy [GH-172]
  • Added sleep in the preStop lifecycle step [GH-188]
  • Updated chart and tests to Helm 3 [GH-195]
  • Adds Values.injector.externalVaultAddr to use the injector with an external vault [GH-207]

Bugs:

  • Fix bug where Vault lifecycle was appended after extra containers. [GH-179]

0.3.3 (January 14th, 2020)

Security:

  • Added server.extraArgs to allow loading of additional Vault configurations containing sensitive settings GH-175

Bugs:

  • Fixed injection bug where wrong environment variables were being used for manually mounted TLS files

0.3.2 (January 8th, 2020)

Bugs:

  • Fixed injection bug where TLS Skip Verify was true by default [VK8S-35]

0.3.1 (January 2nd, 2020)

Bugs:

  • Fixed injection bug causing kube-system pods to be rejected [VK8S-14]

0.3.0 (December 19th, 2019)

Features:

  • Extra containers can now be added to the Vault pods
  • Added configurability of pod probes
  • Added Vault Agent Injector

Improvements:

  • Moved global.image to server.image
  • Changed UI service template to route pods that aren't ready via publishNotReadyAddresses: true
  • Added better HTTP/HTTPS scheme support to http probes
  • Added configurable node port for Vault service
  • server.authDelegator is now enabled by default

Bugs:

  • Fixed upgrade bug by removing chart label which contained the version
  • Fixed typo on serviceAccount (was serviceaccount)
  • Fixed readiness/liveliness HTTP probe default to accept standbys

0.2.1 (November 12th, 2019)

Bugs:

  • Removed readOnlyRootFilesystem causing issues when validating deployments

0.2.0 (October 29th, 2019)

Features:

  • Added load balancer support
  • Added ingress support
  • Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc)
  • Removed root requirements, now runs as Vault user

Improvements:

  • Added namespace value to all rendered objects
  • Made ports configurable in services
  • Added the ability to add custom annotations to services
  • Added docker image for running bats test in CircleCI
  • Removed restrictions around dev mode such as annotations
  • readOnlyRootFilesystem is now configurable
  • Image Pull Policy is now configurable

Bugs:

  • Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption)
  • Fixed bug where audit storage was not being mounted in HA mode
  • Fixed bug where Vault pod wasn't receiving SIGTERM signals

0.1.2 (August 22nd, 2019)

Features:

  • Added extraSecretEnvironmentVars to allow users to mount secrets as environment variables
  • Added tlsDisable configurable to change HTTP protocols from HTTP/HTTPS depending on the value
  • Added serviceNodePort to configure a NodePort value when setting serviceType to "NodePort"

Improvements:

  • Changed UI port to 8200 for better HTTP protocol support
  • Added path to extraVolumes to define where the volume should be mounted. Defaults to /vault/userconfig
  • Upgraded Vault to 1.2.2

Bugs:

  • Fixed bug where upgrade would fail because immutable labels were being changed (Helm Version label)
  • Fixed bug where UI service used wrong selector after updating helm labels
  • Added VAULT_API_ADDR env to Vault pod to fixed bug where Vault thinks Consul is the active node
  • Removed step-down preStop since it requires authentication. Shutdown signal sent by Kube acts similar to step-down

0.1.1 (August 7th, 2019)

Features:

  • Added authDelegator Cluster Role Binding to Vault service account for bootstrapping Kube auth method

Improvements:

  • Added server.service.clusterIP to values.yml so users can toggle the Vault service to headless by using the value None.
  • Upgraded Vault to 1.2.1

0.1.0 (August 6th, 2019)

Initial release